Hacker Flies Away With British Airways Customer Data

British Airways is warning customers that it suffered a hack attack that compromised up to 380,000 customers' payment cards as well as personal data over a 15-day period. Security experts say all breach victims should immediately contact their credit or debit card provider.

"British Airways is investigating, as a matter of urgency, the theft of customer data from its website, ba.com, and the airline's mobile app," the company says in its data breach notification to customers. "The stolen data did not include travel or passport details."

The breach began at 10:58 p.m. British Standard Time on Aug. 21 and persisted until 9:45 p.m. on Sept. 5, says the airline, which is part of Madrid-based International Airlines Group.

All customers who bought or changed a ticket using the website or mobile app during that timeframe were potentially affected, BA says.

Following in the footsteps of many other data breach victims, Alex Cruz, the CEO and chairman of British Airways, claimed that the attack had been sophisticated. Speaking to the BBC, Cruz apologized for his company having suffered a "sophisticated, malicious criminal attack," and said measures were being put in place to prevent a recurrence.

Cruz said the breach was discovered on Wednesday, after a business partner that monitors its websites alerted the airline. Cruz says the airline immediately began investigating the apparent breach.

"We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers' data very seriously," Cruz says in a statement.

Breach Mitigated, Airline Says

British Airways says the breach has been mitigated and that its website is safe to use again. "The incident has been resolved and all systems are working normally so customers due to travel can check-in online as normal," the airline says.

Alert on British Airways' website

The airline says it's working with law enforcement agencies to investigate. "We have notified the police and relevant authorities. We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers' data very seriously," the airline says.

British Airways took out a number of full-page advertisements in U.K. newspapers Friday to apologize for the breach.

GDPR Enforcement in Effect

The U.K.'s data protection authority, the Information Commissioner's Office, says it's aware of the breach and waiting for more information. "British Airways has made us aware of an incident and we are making enquiries," the ICO says in a statement.

The ICO enforces the EU's General Data Protection Regulation, which went into full force on May 25. GDPR requires organizations to report some types of breaches to relevant authorities within 72 hours of discovering the breach, as the airline appears to have done.

Organizations that fail to comply with GDPR can face fines of up to 4 percent of an organization's annual global revenue or €20 million ($23 million), whichever is greater. Organizations that fail to comply with GDPR's reporting requirements can also face fines of up to €10 million ($12 million) or 2 percent of annual global revenue.

The U.K.'s National Cyber Security Center, which serves as the country's computer emergency readiness team and is part of the intelligence agency GCHQ , says it's also tracking the breach.

"We are aware of reports of a data breach affecting British Airways," NCSC says in a statement. "We are working with partners to better understand this incident and how it has affected customers."

Airline Directly Notifies All Customers

British Airways says that it notified all affected customers on Thursday night.

"Every customer affected will be fully reimbursed and we will pay for a credit checking service," the airline says. "We take the protection of our customers' data seriously, and are very sorry for the concern that this criminal activity has caused. We will continue to keep our customers updated with the very latest information. We will be contacting customers and will manage any claims on an individual basis."

Consumer rights and product-testing group Which says anyone who might have been affected by the breach should immediately change their British Airways password, as well as anywhere else they may have used the same password (see Why Are We *Still* So Stupid About Passwords?).

"We recommend you choose a unique password that you do not use for any other online account," British Airways says. To change their password, it says users should visit the ba.com homepage and "click the 'Forgotten PIN/Password' link on the top right-hand corner."

If you are concerned you may have been affected by the British Airways data breach you should:

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.